talexander/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Releases Activity

nixos/dovecot: improve and harden systemd unit (#418722)

Browse Source
This commit is contained in:
Martin Weinelt 2025-07-03 23:44:45 +02:00 committed by GitHub
commit 88565a8620
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 51 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

52
nixos/modules/services/mail/dovecot.nix
View File

@ -692,23 +692,67 @@ in
environment.etc."dovecot/dovecot.conf".source = cfg.configFile; environment.etc."dovecot/dovecot.conf".source = cfg.configFile;
systemd.services.dovecot2 = { systemd.services.dovecot = {
aliases = [ "dovecot2.service" ];
description = "Dovecot IMAP/POP3 server"; description = "Dovecot IMAP/POP3 server";
documentation = [
"man:dovecot(1)"
"https://doc.dovecot.org"
];
after = [ "network.target" ]; after = [ "network.target" ];
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
restartTriggers = [ restartTriggers = [ cfg.configFile ];
cfg.configFile
];
startLimitIntervalSec = 60; # 1 min startLimitIntervalSec = 60; # 1 min
serviceConfig = { serviceConfig = {
Type = "notify"; Type = "notify";
ExecStart = "${dovecotPkg}/sbin/dovecot -F"; ExecStart = "${dovecotPkg}/sbin/dovecot -F";
ExecReload = "${dovecotPkg}/sbin/doveadm reload"; ExecReload = "${dovecotPkg}/sbin/doveadm reload";
CapabilityBoundingSet = [
"CAP_CHOWN"
"CAP_DAC_OVERRIDE"
"CAP_FOWNER"
"CAP_NET_BIND_SERVICE"
"CAP_SETGID"
"CAP_SETUID"
"CAP_SYS_CHROOT"
"CAP_SYS_RESOURCE"
];
LockPersonality = true;
MemoryDenyWriteExecute = true;
NoNewPrivileges = true;
OOMPolicy = "continue";
PrivateTmp = true;
ProcSubset = "pid";
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = lib.mkDefault false;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
ProtectSystem = "full";
PrivateDevices = true;
Restart = "on-failure"; Restart = "on-failure";
RestartSec = "1s"; RestartSec = "1s";
RestrictAddressFamilies = [
"AF_INET"
"AF_INET6"
"AF_UNIX"
];
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = false; # sets sgid on maildirs
RuntimeDirectory = [ "dovecot2" ]; RuntimeDirectory = [ "dovecot2" ];
SystemCallArchitectures = "native";
SystemCallFilter = [
"@system-service @resources"
"~@privileged"
"@chown @setuid capset chroot"
];
}; };
# When copying sieve scripts preserve the original time stamp # When copying sieve scripts preserve the original time stamp

4
nixos/tests/dovecot.nix
View File

@ -84,11 +84,13 @@ import ./make-test-python.nix {
testScript = '' testScript = ''
machine.wait_for_unit("postfix.service") machine.wait_for_unit("postfix.service")
machine.wait_for_unit("dovecot2.service") machine.wait_for_unit("dovecot.service")
machine.succeed("send-testmail") machine.succeed("send-testmail")
machine.succeed("send-lda") machine.succeed("send-lda")
machine.wait_until_fails('[ "$(postqueue -p)" != "Mail queue is empty" ]') machine.wait_until_fails('[ "$(postqueue -p)" != "Mail queue is empty" ]')
machine.succeed("test-imap") machine.succeed("test-imap")
machine.succeed("test-pop") machine.succeed("test-pop")
machine.log(machine.succeed("systemd-analyze security dovecot.service | grep -v "))
''; '';
} }